Method and system for proxying telephony messages

ABSTRACT

A proxy computer of a network can receive incoming telephony messages from one or more computers outside of the network and proxy them to computers within the network. Similarly, the proxy computer can receive outgoing telephony messages from within the network and proxy them to computers outside of the network. To set up inbound calls, a proxy program on the proxy computer looks for the presence of an alias in the call signaling messages, references a data structure to determine which computer on the network is associated with the alias, and proxies the call signaling and control messages between the callee computer and the calling computer based on the association, thereby creating a logical connection between the calling computer and the callee computer.

TECHNICAL FIELD

This invention relates generally to telephony over a computer networkand, more particularly, to a method and system for proxying a calloriginating from a public network to a computer on a private networkusing a publicly known alias available from a directory service.

BACKGROUND

Telephony over computer networks has become more and more popular inrecent years. In particular, multi-party conferencing systems such asNETMEETING by the MICROSOFT CORPORATION have given consumers andbusinesses the ability to conduct full audio and visual teleconferencingover traditional computer networks, thereby avoiding the high costsassociated with renting time at a dedicated conference center.

One problem associated with network telephony is that most privatenetworks are protected from the outside through the use of a proxy orfirewall. Therefore, the internal IP addresses of the computers behindthe proxy are hidden from potential callers outside the private network.This makes it impossible for outside callers to call a computer on aprivate network directly. Thus, it can be seen that there is a need fora novel method and system for proxying telephony messages.

SUMMARY OF THE INVENTION

In accordance with this need, a method and system for proxying telephonymessages is provided. According to the method and system, a proxycomputer of a private network can receive incoming telephony messagesfrom one or more computers of a public network and proxy them tocomputers within the private network. Similarly, the proxy computer canalso receive outgoing telephony messages from within the network andproxy them to computers outside of the network. To enable inbound calls,a proxy program on the proxy computer looks for the presence of an aliasin the call signaling messages, references a data structure to determinewhich computer on the network is associated with the alias, and proxiesthe call signaling and control messages between the callee computer andthe calling computer based on the association, thereby creating alogical connection between the calling computer and the callee computer.

BRIEF DESCRIPTION OF THE DRAWINGS

While the appended claims set forth the features of the presentinvention with particularity, the invention, together with its objectsand advantages, may be best understood from the following detaileddescription taken in conjunction with the accompanying drawings ofwhich:

FIG. 1 is a block diagram illustrating an example computer environmentin which the invention may be used;

FIG. 2 is block diagram illustrating an example of a network environmentin which invention can operate;

FIG. 3 is a block diagram illustrating an example of an architecturethat may be used for a proxy program;

FIG. 4 is a block diagram illustrating specific features that may beused in the example proxy program of FIG. 3;

FIG. 5 is a block diagram illustrating an example of an architecturethat may be used for an H.323 call bridge object;

FIG. 6 is a block diagram illustrating an example of an architecturethat may be used for an LDAP connection object;

FIG. 7 is a call flow diagram illustrating an example message flow ofAddRequest and AddResponse messages between a private network computerand a directory service;

FIG. 8 is a flow chart illustrating an example of steps that may beperformed when processing an AddRequest message;

FIG. 9 is a flowchart illustrating an example of steps that may beperformed when processing an AddResponse message;

FIG. 10 is a flowchart illustrating an example of steps that may beperformed when processing a SearchResponse message; and

FIGS. 11 and 12 are call flow diagrams illustrating an example of themessage flow between a private network computer and a public networkcomputer in creating a logical connection between the computers.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Turning to the drawings, wherein like reference numerals refer to likeelements, an exemplary environment for implementing the invention isshown in FIG. 1. The environment includes a general purpose-computingdevice 20, including a central processing unit 21, a system memory 22,and a system bus 23 that couples various system components including thesystem memory to the processing unit 21. The system bus 23 may be any ofseveral types of bus structures including a memory bus or memorycontroller, a peripheral bus, and a local bus using any of a variety ofbus architectures. The system memory includes read only memory (ROM) 24and random access memory (RAM) 25. A basic input/output system (BIOS)26, containing the basic routines that help to transfer informationbetween elements within the computing device 20, such as duringstart-up, is stored in the ROM 24. The computing device 20 furtherincludes a hard disk drive 27 for reading from and writing to a harddisk 60, a magnetic disk drive 28 for reading from or writing to aremovable magnetic disk 29, and an optical disk drive 30 for readingfrom or writing to a removable optical disk 31 such as a CD ROM or otheroptical media.

The hard disk drive 27, magnetic disk drive 28, and optical disk drive30 are connected to the system bus 23 by a hard disk drive interface 32,a magnetic disk drive interface 33, and an optical disk drive interface34, respectively. The drives and their associated computer-readablemedia provide nonvolatile storage of computer readable instructions,data structures, programs and other data for the computing device 20.Although the exemplary environment described herein employs a hard disk60, a removable magnetic disk 29, and a removable optical disk 31, itwill be appreciated by those skilled in the art that other types ofcomputer readable media which can store data that is accessible by acomputer, such as magnetic cassettes, flash memory cards, digital videodisks, Bernoulli cartridges, random access memories, read only memories,and the like may also be used in the exemplary operating environment.

A user may enter commands and information into the computing device 20through input devices such as a keyboard 40, which is typicallyconnected to the computing device 20 via a keyboard controller 62, and apointing device, such as a mouse 42. Other input devices (not shown) mayinclude a microphone, joystick, game pad, wireless antenna, scanner, orthe like. These and other input devices are often connected to theprocessing unit 21 through a serial port interface 46 that is coupled tothe system bus, but may be connected by other interfaces, such as aparallel port, game port, a universal serial bus (USB), or a 1394 bus. Amonitor 47 or other type of display device is also connected to thesystem bus 23 via an interface, such as a video adapter 48. In additionto the monitor, computing devices typically include other peripheraloutput devices, not shown, such as speakers and printers.

The computing device 20 may operate in a networked environment usinglogical connections to one or more devices within a network 63,including another computing device, a server, a network PC, a peerdevice or other-network node. These devices typically include many orall of the elements described above relative to the computing device 20.The logical connections depicted in FIG. 1 include a land-based networklink 51, for which there are many possible implementations, including alocal area network (LAN) link and a wide area network (WAN) link.Land-based network links are commonplace in offices, enterprise-widecomputer networks, intranets and the Internet and include such physicalimplementations as coaxial cable, twisted copper pairs, fiber optics,and the like. Data may transmitted over the network links 51 accordingto a variety of well-known transport standards, including Ethernet,SONET, DSL, T-1, and the like. When used in a LAN, the computing device20 is connected to the network 51 through a network interface card oradapter 53. When used in a WAN, the computing device 20 typicallyincludes a modem 54 or other means for establishing communications overthe network link 51, as shown by the dashed line. The modem 54, whichmay be internal or external, is connected to the system bus 23 via theserial port interface 46. In a networked environment, programs depictedrelative to the computing device 20, or portions thereof, may be storedon other devices within the network 63.

Those skilled in the art will appreciate that the invention may bepracticed with other computer system configurations, including hand-helddevices, multi-processor systems, microprocessor based or programmableconsumer electronics, network PCs, minicomputers, mainframe computers,and the like. The invention may also be practiced in distributedcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed computing environment, parts of a program may be located inboth local and remote memory storage devices.

In the description that follows, the invention will be described withreference to acts and symbolic representations of operations that areperformed by one or more logic elements. As such, it will be understoodthat such acts and operations may include the execution of microcodedinstructions as well as the use of sequential logic circuits totransform data or to maintain it at locations in the memory system ofthe computer. Reference will also be made to one or more programs ormodules executing on a computer system or being executed by parts of aCPU. A “program” or “module” is any instruction or set of instructionsthat can execute on a computer, including a process, procedure,function, executable code, dynamic-linked library (DLL), applet, nativeinstruction, module, thread, or the like. A program or module may alsoinclude a commercial software application or product, which may itselfinclude several programs. However, while the invention is beingdescribed in the context of software, it is not meant to be limiting asthose of skill in the art will appreciate that various of the acts andoperation described hereinafter may also be implemented in hardware.

The invention is generally realized as a method of proxying a calloriginating from a public network to a computer on a private networkusing a publicly-known alias obtainable from a directory service.Turning now to FIG. 2 an example of a network environment in whichinvention can operate is shown. A proxy program, generally labeled 100,executes on a proxy computer 102 of a private network 108. The proxycomputer 102 acts as a conduit through which data may be transmittedfrom the private network 108 to a public network 116 and vice versa overa network link 128. The proxy computer 102 is linked to one or morenetwork computers, such as network computers 104, 105 and 106 by anetwork link 122. The proxy computer 102 and the computers 104-106 maybe implemented as any suitable computing devices, includingworkstations, personal computers, servers, handheld devices, or thelike. The proxy computer may function as a peer of the network computers104-106.

The public network 116 includes computers 110, 112 and 115, which arecommunicatively linked to the network 116 by network links 130, 132 and131 respectively. To help illustrate the operation of the invention, itwill be assumed that the public IP address of the proxy computer 102 is171.31.55.50, and is recognizable by the public network 116, while theprivate IP address of the proxy computer 102 is 192.168.0.1. It isfurther assumed that the IP address of the computer 104 is 192.168.0.55,and the IP address of the computer 110 is 172.31.55.55. It is finallyassumed that private IP addresses of the private network 108, such asthat of the computer 104, are unroutable outside of the private network108.

The private network 108 may be a home network, business enterprisenetwork, institutional network, government agency network, or the like.The public network 116 may be one that is available to the generalpublic, such as the Internet, or one that is available to a group ofusers. Access to the computers of the private network 108 may be gainedthrough the proxy computer 102. The public network 116 may even be aninternal network that is in the same organization as the private network108. For example, the public network 116 may be accessible to allemployees of a company, while the private network 108 is accessible onlyto a certain department. The private network 108 and the public network116 may themselves be comprised of any number of sub-networks. Althoughthe number of computers depicted in the private network 108 and thepublic network 116 is relatively small, it is understood that the numberis meant only to be illustrative, and that these networks may, in fact,have any number of computers. It is also understood that there may beother computing devices between the proxy computer 102 and the publicnetwork 116, including gateways, routers, firewalls, and the like. Theproxy computer 102 itself may also be implemented as a gateway, router,firewall, or the like.

To make audio or visual telephony calls to a computer of the privatenetwork 108 in accordance with a preferred embodiment of the invention,a computer of the public network 116 uses the alias of the privatenetwork computer to request an IP address. The alias may be comprised ofplain text alphanumeric characters, such as an email alias. The callingcomputer submits the request to a directory service 120, which may be anInternet location server (ILS) communicatively linked to the publicnetwork 116 by a network link 134. The directory service 120 looks upthe alias in a directory 121 and returns the IP address that is listedfor that alias, which, in this example, is the public IP address of theproxy computer 102. The calling computer then sends a call setup messageto the listed IP address—i.e. to the proxy computer 102—and includes thelooked-up alias in the call setup message. The proxy program 100 usesthe alias to determine which computer of the private network 108 is thecallee, and creates a logical connection between the calling computerand the callee computer.

Referring to FIG. 3, an example of an architecture that may be used fora proxy program operating in accordance with a preferred embodiment ofthe invention is shown. Several functions of the proxy program 100 areperformed by a telephony module 146 and a directory access module 148.The directory access module 148 processes requests from one or more ofthe computers of the private network 108 to register aliases with thedirectory service 120 (FIG. 2), and processes the correspondingresponses received from the directory service 120. The directory accessmodule 148 also maintains a data structure 154, which may be an addresstranslation table, or the like, that associates the aliases being usedby the computers of the private network 108 with their respectiveprivate network addresses. The telephony module 146 establishes logicalconnections between the public network computers and the private networkcomputers.

To communicate, the telephony module 146 and directory access module 148transmit and receive messages through a transport control protocol (TCP)module 140 and an internet protocol (IP) module 144. The TCP module 140wraps messages received from the modules 146 and 148 into one or moreTCP segments, which are then sent to the IP module 144. The IP module144 further wraps the TCP segments received from the TCP module 140 intoIP packets which may then be transmitted either to the private network108 or to the public network 116 over the network links 122 and 128respectively. The TCP module 140 and IP module 144 also unwrap TCP andIP messages respectively as they travel up to the telephony module 146and directory access module 148.

In creating an IP packet, the IP module 144 generates an IP headerhaving a source and a destination IP address. The telephony 146 mayprovide the source and destination IP address to the IP module 144 viathe TCP module 140. A network address translation (NAT) module 142redirects the IP packets generated by the IP module 144 to the proper IPaddress and port number according to a set of redirect instructionsstored in a data structure 156, which may be a look-up table or thelike. Network address translation is a well known networking procedure,and may be implemented as described in the Internet Engineering TaskForce (IETF) request for comments (RFC) 1631, by K. Egevang and P.Francis, published May 1994.

Referring to FIGS. 2 and 3, an example of how computer 104 of theprivate network 108 registers an alias with the directory service 120using the proxy program 100 in accordance with the present inventionwill be described. The computer 104 first generates a message containinga request to have the alias “Joe” registered with the IP address192.168.0.55. The computer sends the request with the intendeddestination being the directory service 120. The directory access module148 of the proxy program 100 receives the message after it passesthrough the IP module 144, the TCP module 140 and the IP module 142. Thedirectory access module 148 then generates a second message containing arequest to have the alias “Joe” registered with the IP address171.31.55.50 (the public IP address of the proxy) on behalf of thecomputer 104. The directory access module 148 then sends the secondmessage back down through the TCP module 140 and the IP module 144. Thesecond message is then sent over the network link 128 and to the publicnetwork 116 for transmission to the directory service 120 over thenetwork link 134.

If the directory service 120 grants the request, it creates an entry inthe directory 121—the entry 123, for example—that associates the IPaddress 172.31.20.55 with the alias “Joe.” The directory service 120then transmits an response message back over the network link 134, thepublic network 116, the network link 128 and to the proxy computer 102.The response then travels up the NAT module 142, IP module 144, the TCPmodule 140 and to the directory access module 148. The response messageconfirms that the alias “Joe” has been registered with the IP address192.168.0.1. The directory access module 148 then transmits the modifiedresponse message down through the TCP module 140, the IP module 144, theNAT module 142 and back to the private network computer 104. Thedirectory access module 148 also creates an entry in the data structure154 that associates the IP address 192.168.0.55 with the alias “Joe.”

In a related aspect of the invention, the NAT module 142 (FIG. 3) mayassist the directory access module 148 by intercepting requests andresponses to and from the directory service 120 (FIG. 2). For example,one protocol that may be used to communicate with the directory service120 is the well-known Lightweight Directory Access Protocol (LDAP), aversion of which is described in IETF-RFC 2251, by M. Wahl, T. Howes andS. Kille, published in December 1997. LDAP messages are transmitted overports 1002 and 389. Thus, to insure that all LDAP messages are routed tothe proxy program 100 on the proxy computer 102, the proxy program 100may, upon initialization for example, insert the NAT redirectinstructions “1002, *” and “389, *” into the data structure 156. Theseinstructions insure that the NAT module 142 redirects all messagesreceived on these ports to the proxy computer 102 and up to the proxyprogram 100. Although the NAT module 148 is depicted as being located onthe proxy computer 102, persons of ordinary skill in the art willrecognize that the NAT module 148 and data structure 156 may instead belocated on a separate computer of the private network 108, such as on aNAT server 114, which is depicted as a dashed block in FIG. 2. Ifemployed, the NAT server 114 may intercept messages traveling throughthe private network 108 and redirect them to the port and IP address oraddresses specified in the data structure 156.

Once the proxy computer 102 has registered the alias “Joe” with thedirectory service 120 on behalf of the computer 104, a computer on thepublic network 116 can initiate a call to the computer 104 using theregistered alias. The computer 110 can, for example, send a request toobtain the IP address for “Joe” to the directory service 120. Inresponse to the request, the public network computer 110 would receivethe external IP address of the proxy computer 102, which is 171.31.55.50in this example.

To make a call to the computer 104, the computer 110 transmits a setupmessage containing the alias “Joe” over the network link 130, throughthe public network 116, over the network link 128 and to the proxycomputer 102. The proxy program 100 receives the setup message after itpasses through the NAT module 142, the IP module 144 and the TCP module140. The telephony module 146 extracts the alias “Joe” from the setupmessage and submits a request for the IP address of the of the computercurrently using the alias “Joe” to the directory access module 148. Thedirectory access module 148 then looks up the alias “Joe” in the datastructure 154 and determines that the alias is associated with the IPaddress 192.168.0.55—that of the computer 104. The directory accessmodule 148 returns the IP address to the telephony module 146.

The telephony module 146 generates a second setup message that hascontains the IP address 192.168.0.55. The telephony module 146 alsoprovides the new destination IP address to the TCP module 140, which inturn provides the new IP address to the IP module 144. The telephonymodule 146 then sends the setup message down through the TCP module 140and to the IP module 144. The IP module 144 creates an IP header havinga destination address of 192.168.0.55 for the setup message. The IPmodule 144 then sends the setup message through the NAT module 142 andout over the network link 122 to the computer 104. The second setupmessages performs the same function as the setup message received fromthe computer 110, except that the callee IP address is now that of theactual callee (computer 104) instead of the proxy. In effect, the proxysends a call setup message to the computer 104 on behalf of the actualcaller.

The telephony module 146 continues to receive signaling and controlmessages from the computer 110. Those inbound and outbound messages thatdo not contain callee information or port number assignments are simplyforwarded by the telephony module to the computer 104 or the computer110 respectively. This forwarding process occurs at the TCP and IPmodules 140 and 142, and involves replacing instances of the proxy's IPaddress with the private network computers' IP address in the IPheaders, and replacing the port numbers assigned by the public networkcomputer 110 with port numbers chosen internally by the telephony module146 in the TCP headers. The telephony module 146 may also negotiate withthe computer 104 and the computer 110 to determine which ports are to beused for communication between the proxy computer 102 and the privatenetwork computer 104, as well as between the proxy computer 102 and thepublic network computer 110. As a result of the negotiation, thetelephony module 146 may agree to communicate with the computer 104 onone set of ports and agree to communicate with the computer 110 onanother different set of ports.

In another related aspect of the invention, the NAT module 142 mayassist in setting up one or more calls by routing call signalingmessages to the proxy program 100. For example, one method of callsignaling that may be used by a computer of the public network 116 isthe well-known International Telecommunications Union (ITU)recommendation Q.931, which is incorporated by reference herein in itsentirety. Q.931 signaling messages are transmitted using port 1720.Thus, to insure that all Q.931 messages are routed to the proxy program100 on the proxy computer 102, the proxy program 100 may, uponinitialization for example, insert the NAT redirect instruction “1720,*” into the data structure 156. This instruction insures that the NATmodule 142 redirects all messages received on these ports to the proxyprogram 100.

Once logical connections between the proxy computer 102 and the publicnetwork computer 110, and between the proxy computer 102 and the privatenetwork computer 104 have been negotiated, it is preferred that themedia packets used to transmit audio and visual information are nolonger routed through the proxy program 100 but instead are redirectedonto the appropriate ports and IP addresses by the NAT module 142. Thetelephony module 146 may determine when the logical connections havebeen successfully negotiated and transmit all of the appropriateredirect instructions with their respective port assignments and IPaddresses to the NAT module 142. The NAT module 142 can then store theseredirect instructions in the data structure 156 and redirect the mediapackets based on the instructions with no involvement from the proxyprogram 100. As the telephony module 146 creates logical connectionsbetween multiple computers of the private network 108 and multiplecomputers of the public network 116, the telephony module may storeredirect instructions in the data structure 156 that instruct the NAT142 to redirect multiple calls simultaneously.

According to a preferred embodiment of the invention, the telephonymodule 146 creates a call bridge object (FIG. 5) for each call beingproxied between a computer of the private network 108 (FIG. 2) and acomputer of the public network 116. Each call bridge object 200maintains information regarding the connection state of the call andcontains the logic required to process incoming and outgoing callcontrol information. Similarly when one or more of the computers of theprivate network 108 attempt to access the directory service 120, thedirectory access module 148 creates a connection object 202. Eachconnection object 202 contains the processing logic for handlingrequests from computers of the private network 108 for access to thedirectory service 120 as well as for handling the responses receivedfrom the directory service 120.

To process a call made according to the well-known ITU recommendationH.323, a call bridge object (FIG. 4) may have the architecture shown inFIG. 5. The H.323 call bridge object 200 contains Q.931 state modules156 and 164 for maintaining the signaling state of the caller and calleerespectively. The call bridge object 200 also contains H.245 statemodules 168 and 178 for maintaining the state of the H.245 call controlfor the caller and callee respectively, according to the well-known ITUrecommendation H.245 (incorporated herein by reference in its entirety).The H.245 state modules 168 and 178 each contain H.245 logical channelmodules 170 and 180 as well as T.120 logical channel modules 172 and 182for maintaining the state of the H.245 and T.120 channels for the callerand callee respectively, according to the well-known ITU recommendationT.120 (incorporated herein by reference in its entirety). The Q.931state modules 156 and 164 and the Q.245 state modules 168 and 178further contain sockets 158, 166, 174 and 184 for communicating with therespective caller and callee. The sockets 158, 166, 174 and 184 may beimplemented according to the well-known WINSOCK standard.

The logical processing of the Q.931 call signaling and H.245 callcontrol messages is accomplished by the Q.931 and H.245 logic modules160 and 176 respectively. A Q.931 state timer module 162 performs timingfunctions for the Q.931 state modules 156 and 164. The H.323 call bridgeobject sends and receives Q.931 messages to and from a caller or acallee at the caller socket 166 or the callee socket 158 respectivelyand processes the messages in the Q.931 logic module 160. Similarly, theH.323 call bridge object sends and receives H.245 messages to and from acaller or callee at the caller socket 174 or callee socket 184respectively and processes the messages in the H.245 logic module 176.

To process an attempt by a computer of the public network 108 to accessthe directory service 120 using LDAP, a connection object (FIG. 4) mayhave the architecture shown in FIG. 6. The LDAP connection object 202has a processing logic module 206 for processing LDAP messages receivedfrom a computer of the private network or from the directory service 120(FIG. 2). LDAP messages are encoded and decoded in an encoding/decodingmodule 208. As requests arrive from one or more of the computers of theprivate network 108, they are stored in a pending requests list 204. Aninternal to external pump 210 and an external to internal pump 212communicate with an internal network socket 214 and an external networksocket 216 respectively to send LDAP messages to the private network 108and to the public network 116. Once a request for an addition of analias to the directory service 120 is approved by the directory service120 and a successful response to the request is received by the proxyprogram 100, the processing logic module 206 creates an entry in thedata structure 154 that associates the alias with the computer of theprivate network 108 that submitted the request.

An example of how a computer of the private network 108 (FIG. 2) mayregister an LDAP alias with the directory service 120 by communicatingthrough the LDAP connection object (FIG. 6) will now be described. Thecall flow diagram of FIG. 7 shows the message flow that occurs betweenthe computer 104 and the proxy computer 102, as well as between theproxy computer 102 and directory service 120 as the computer 104attempts the registration process. At step 350 the computer 104transmits an LDAP AddRequest message on port 1002 having the destinationIP address (in the IP header) of the directory service 120. The body ofthe AddRequest message itself contains the IP address of therequester—192.168.0.55—as well as the alias under which the requestor isto be registered—“Joe.” As the AddRequest message reaches the proxycomputer 102, the NAT module 142 (FIG. 4) detects that the message isbeing sent to port 1002 and redirects the message up through the IPmodule 144 and the TCP module 140 to the proxy program 100. The proxyprogram 100 creates a connection object 202 having the architectureshown in FIG. 6.

The LDAP connection object 202 receives the AddRequest message on theinternal socket 214. The AddRequest message is then retrieved by thepump 210 and sent to the encoding/decoding module 208 to be decoded. Thedecoded message is then sent to the processing logic module 206. In thisexample it is assumed that the alias chosen by the computer 104 is thename “Joe.” The processing logic module 206 generates a secondAddRequest message that is similar to the one received from the computer104, except that, instead of having a requester IP address of192.168.0.55, the second AddRequest message has a requester IP addressof 171.31.55.50, which is the public IP address of the proxy computer102. The processing logic module 206 then stores state information aboutthe request AddRequest message in the pending request list 204. Theprocessing logic module then sends the message to the encoding/decodingmodule 208 to be encoded according the LDAP protocol. Theencoding/decoding module 208 then sends the AddRequest message to thepump 210. The pump 210 then sends the message down through the TCPmodule 140 (FIG. 4), the IP module 144, the NAT module 142, out thenetwork link 128, over the public network 116 (FIG. 2) and to thedirectory service 120. Step 352 of FIG. 7 shows the modified AddRequestbeing transmitted to the directory service.

The directory service 120 determines whether or not to grant the requestaccording to its own internal logic. In this example it will be assumedthat the directory service has granted the request. The directoryservice 120 transmits an AddResponse message back to the proxy computer102 as shown in Step 354 of FIG. 7. The AddResponse message contains asuccess code to indicate the fact that the request has been granted. TheAddResponse message then travels up through the NAT module 142 (FIG. 4),the IP module 144, the TCP module 140 and to the LDAP connection object(FIG. 6). The AddResponse message travels through the external socket216, the external to internal pump 212, and to the encoding/decodingmodule 208. The AddResponse message is then decoded by theencoding/decoding module 208 and sent to the processing logic module206. The processing logic module 206 then deletes the state informationconcerning the request from the pending request list 204.

If the AddResponse message indicates that the directory service 120 hasaccepted the request, the processing logic module 206 makes an entry inthe data structure 154 associating the IP address of the private networkcomputer 104 with the alias “Joe.” Examples of data entries that may becreated in the data structure 154 are shown in the following table:

Address of private network Alias of the Address of the Directory or pathon computer computer directory service the directory service192.168.0.55 Joe 157.54.6.150:389 cn = joe, ou = Dynamic, o = Intranet192.168.0.2 art@bar.com 157.54.6.150:389 cn = art, ou = Dynamic, o =Intranet 192.168.0.133 john_d 172.31.89.77:1002 cn = john_d, ou =dynamic, o = IntranetThe processing logic module 206 provides the correct destination IPaddress—196.168.0.55 —to the IP module 144 via the TCP module 140 (FIG.4). The AddResponse message is then sent back down to the pump 212 thento the socket 214 for transmission to the TCP module 140 and the IPmodule 144. The IP module 144 wraps the message into an IP packet andinserts the destination IP address into the IP header. The message isthen sent to the computer 104, thereby completing the process.

To ensure that only authorized computers on the private network 108register with the directory service 120 (FIG. 2), the processing logicmodule 206 (FIG. 6) preferably verifies the authenticity of eachAddRequest message by executing the procedure of the flow chart FIG. 8.At steps 400-406 the processing logic module 206 determines whether theRT person, IP address, and alias attributes are present in theAddRequest message. If any of those attributes are not present theprocessing logic module 206 does not modify the AddRequest message, butsimply passes it to the directory service 120.

Referring to FIG. 9, an example of how the processing logic module 206(FIG. 6) may process an AddResponse message received from the directoryservice 120 (FIG. 2) is shown. At step 414 the processing logic moduledetermines whether the directory service approved the request. If thedirectory service approved the request then the flow proceeds to 416 atwhich the processing logic module determines whether the data structure154 contains an identical entry. If no identical entries are containedin the data structure then the processing logic module adds an entryassociating the alias with the IP address of the private networkcomputer to the data structure at step 420. If the directory service didnot approve the request or there is already an identical entry in thedata structure then the processing logic module skips step 420.

The proxy program 100 (FIG. 2) may also send LDAP SearchRequest messagesto the directory service 120 on behalf of one or more computers of theprivate network 108. An LDAP SearchRequest message is a request to adirectory service to obtain the IP address corresponding a submittedalias. State information for the SearchRequest is maintained in thepending requests list 204 of the LDAP connection object 202 (FIG. 6)until a response is received. A directory service receiving the messagetypically responds with a SearchResponse message.

Referring to FIG. 10, an example of how the processing logic module 206of the LDAP connection object 202 may handle a SearchResponse messagereceived from the directory service 120 is shown. At steps 422-426 thelogic processing module 206 verifies that the search response messagecontains an RT person, an IP address and an alias attribute. If any ofthese attributes is not present then the processing logic module 206simply relays the search response message to the private networkcomputer at step 432.

At step 428 the processing logic module 206 determines whether there isan entry in the data structure 154 that corresponds to the alias and IPaddress contained in the search response message. This is to account forthe possibility that client program running on the proxy computer 102itself and acting as a client of the proxy program 100 is searching fora computer on the private network 108. For example, if a client programrunning on the proxy computer 102 sends a Search message for the alias“Joe,” then the IP address returned by the directory service 120 will be171.31.55.50, since that is how “Joe” is listed in the directory 121.This IP address will, of course, be of little help to the clientprogram.

If the processing logic module 206 finds the sought-after alias in thedata structure 154, then it will generate a second SearchResponsemessage that contains the IP address of the computer associated with thealias. Thus, instead of receiving the IP address of 171.31.55.50 inresponse to a SearchRequest for “Joe,” a client program running on theproxy computer 102 receives the IP address 192.168.0.55.

The proxy program 100 (FIG. 2) may also forward LDAP Delete messagesreceived from computers of the private network 108 to the directoryservice 120. An LDAP Delete message is a request to a directory serviceto delete an entry. The body of a Delete message contains the alias ofthe entry to be deleted. When it receives an LDAP delete message fromwithin the private network 108, the logic processing module 206determines whether the entry that the private network computer hasrequested to be deleted is located in the data structure 154. If thereis an entry in the data structure 154 corresponding to the IP addressand the alias contained in the delete request then the logic processingunit 206 deletes the entry from the data structure 154.

An example of how a computer of the public network 116 (FIG. 2) may makean H.323 call to a computer of the private network 108 through the proxycomputer 102 using an H.323 call bridge object (FIG. 5) will now bedescribed. In this example, the computer 110 will call the computer 104.It will, however, be understood by persons of ordinary skill in the artthat the computer 110 may actually be relaying or proxying a call fromone or more other computers, and may even be acting as a public proxyfor a second private network. It is assumed that the private networkcomputer is already registered with the directory service 120 and isrepresented by the entry 123. It is also assumed that this registrationwas performed using the procedure described in steps 350-356 of FIG. 9or a similar procedure, and, therefore, that the data structure 154(FIG. 4) associates “Joe” with the IP address of the computer 104. It isalso be assumed that the computer 110 has already performed an LDAPsearch for the alias “Joe” and has obtained the IP address 172.31.20.55.

Referring to the call flow diagram of FIGS. 11 and 12, the publicnetwork computer 110 sends a Q.931 SETUP message to port 1720 of theproxy computer at step 302. The SETUP message reaches the proxy computer102 over the network link 128 (FIG. 4) and is intercepted by the NATmodule 142, which is monitoring port 1720. The NAT module 142 sends theSETUP message up through the IP module 144, the TCP module 140 and intoa call bridge object 200 which in this example, is an H.323 call bridgeobject (FIG. 5). The H.323 call bridge object receives the SETUP messageon the caller socket 158 of the Q.931 state module 156. The SETUPmessage is then sent to the Q.931 logic module 160. The Q.931 logicmodule 160 recognizes that the SETUP message originated from outside ofthe private network and reads the alias “Joe” from the body of the SETUPmessage. The Q.931 logic module 160 then makes a function call to thedirectory access module 148 (FIG. 4) to request the IP addresscorresponding to the alias “Joe.” The directory access module 148searches the data structure 154 to determine which of the computers ofthe network 108 is using the alias “Joe.” If the alias were not locatedthen the directory access module 148 would signal this fact to the H.323call bridge object 200. The H.323 call bridge object 200 would may thengenerate the appropriate error message to be transmitted back to thepublic network computer 110, or forward the call to the proxy computer102 itself.

In this example, however, the data structure 154 does have an entry for“Joe.” The directory access module determines the IP address associatedwith the alias “Joe” to be 192.168.0.55 and provides this IP address tothe Q.931 logic module of the H.323 call bridge object 200. The Q.931logic module 160 then generates a second SETUP message on behalf of thecomputer 110. The second SETUP message has the same alias as the SETUPmessage sent by the computer 110, but has a callee IP address of192.168.0.55. The Q.931 logic module 160 also provides the replacementIP address to the IP module 144 and stores the replacement IP address inthe Q.931 state module 164 so that it need not make further calls to thedirectory access module 148. The Q.931 logic module 160 then transmitsthe modified SETUP message through the callee socket 166 (FIG. 5)through the TCP module 140 and the IP module 144. The IP module 144creates an IP packet containing the message, and inserts the destinationaddress of 192.168.0.55 into the IP header. The message passes throughthe NAT module 142 and out to the private network computer 104 at step304. The private network computer 104 responds to the SETUP message witha CALL PROCEEDING message and an ALERTING message at steps 306 and 310.These messages are relayed by the H.323 call bridge 200 to the computer110 at steps 306-312.

At step 314, the computer 104 transmits a Q.931 CONNECT message to theproxy computer 102. The body of the CONNECT message contains the numberof the port to be used by the computer 104 for H.245 control data. TheH.245 port number is dynamically chosen by the computer 104, and forthis example is assumed to be port 1200. The Q.931 logic module 206 thengenerates a second CONNECT message on behalf of the computer 104. Thesecond CONNECT message has the same format and function as the onereceived from the computer 104, except that the body of the secondmessages contains the H.245 port number chosen by the Q.931 logic module160 communication with the computer 110. For the purpose of thisexample, it is assumed that the Q.931 logic module 160 chooses portnumber 1300 for sending and receiving H.245 control data to and from thepublic network computer 110. The Q.931 logic module 160 provides thedestination IP address to the IP module 144.

At step 316, the Q.931 logic module 160 transmits the second CONNECTmessage out to the computer 110. As the second CONNECT message passesthrough the IP module 144, the IP module 144 wraps it into an IP packet,and inserts the destination IP address into the IP header.

At step 318 (FIG. 13), the public network computer 110 transmits anH.245 OpenLogicalChannel message to the proxy computer 102. The body ofthe OpenLogicalChannel message contains port numbers that are to be usedfor sending and receiving video and audio signals during the call. Inthis example, if is assumed that the computer 110 has chosen to use port1400 for audio data and port 1500 for video data, and has indicated soin the body of the OpenLogical Channel message. The OpenLogicalChannelmessage is received by the proxy computer 102 on the caller socket 174of the H.245 state module 168 (FIG. 5). The message then travels to theH.245 logic module 176. The H.245 logic module 176 generates a secondOpenLogicalChannel message on behalf of the computer 110. In thisexample, it will be assumed that the H.245 logic module has chosen port1450 for audio communication and port 1550 for video communication withthe private network computer 104. Thus, the H.245 logic module 176inserts the port numbers 1400 and 1500 in the body of the secondOpenLogicalChannel message.

At step 320 (FIG. 12), the H.245 logic module 176 transmits the secondOpenLogicalChannel message to the private network computer 104. As themessage passes through the IP module 144 (FIG. 4) it gets wrapped intoan IP packet. The IP module 144 inserts the destination IP address intothe packet header. At step 322, the computer 104 responds bytransmitting an OpenLogicalChannelAck message to the proxy computer 102over port 1200. At step 324 the proxy computer sends theOpenLogicalChannelAck message to the public network computer 110 on port1300. On its way through the IP module 144, the modified message iswrapped into an IP packet with the destination IP address in the IPheader. At this point, a logical connection has been established betweenthe computer 104 and the public computer 110.

After having established the logical connection between the caller andcallee computers, the proxy program 100 may instruct the NAT module 142(FIG. 4) to redirect TCP/IP packets sent from the private networkcomputer 104 on ports 1450 and 1550 to the to the public networkcomputer 100 on ports 1400 and 1500. If instructed to do so, the NATmodule 142 will also make the appropriate replacements in the IP headersource and destination fields. For example, the proxy program 100 mayenter the instructions (1450,192.168.0.55→192.168.0.1)+(171.31.55.50→1400, 172.31.55.55) into thedata structure 156. This prevents the proxy program 100 from having tointerfere in the transmission of media packets between the privatenetwork computer 104 and the public network computer 110.

The above described procedure may also be used to allow one or morecomputers of the private network 108 to place outgoing calls tocomputers of the public network 116. By making the calls via the proxycomputer 102, computers on the private network 108 may avoid having todisclose their internal IP addresses.

In view of the many possible embodiments to which the principals of thisinvention may be applied, it should be recognized that the embodimentsdescribed herein with respect to the drawing figures is meant to beillustrative only and should not be taken as limiting the scope of theinvention. It should also be recognized that the various steps involvedin carrying out the methods described above as well as the specificimplementation of each step described above may be changed in ways thatwill be apparent to those of skill in the art.

Finally, those of skill in the art will recognize that the elements ofthe illustrated embodiment shown in software may be implemented inhardware and vice versa, and that the illustrated embodiment can bemodified in arrangement and detail without departing from the spirit ofthe invention. Therefore, the invention as described herein contemplatesall such embodiments as may come within the scope of the followingclaims and equivalents thereof.

1. (canceled)
 2. A method of proxying telephony messages, the methodcomprising: associating an internet protocol (IP) address of a proxycomputer with an alias; registering the alias with a directory service,wherein the alias corresponds to a callee computer; initiating a requestto the callee computer using the alias; submitting the request to thedirectory service; and matching the alias in a directory and returningthe IP address that is listed for the alias, which is the public networkaddress of the proxy computer.
 3. The method of claim 2, wherein acalling computer initiates the request to the callee computer using thealias.
 4. The method of claim 2, wherein the alias of the calleecomputer is used to request the IP address of the proxy computer.
 5. Themethod of claim 2, further comprising: receiving a first call controlmessage from a calling computer of a public network; generating a secondcall control message; and sending the second call control message to thecallee computer.
 6. The method of claim 5, wherein the first callcontrol message comprises the public network address of the proxycomputer and a first set of port assignments for media communicationbetween the proxy computer and the calling computer on behalf of thecallee computer.
 7. The method of claim 6, wherein the first set of portassignments are assigned by the calling computer.
 8. The method of claim7, wherein the first set of port assignments includes a port for audiotransmissions and another port for video transmissions between the proxycomputer and the calling computer on the behalf of the callee computer.9. The method of claim 6, wherein the second call control messagecomprises a private network address of the callee computer and a secondset of port assignments for media communication between the proxycomputer and the callee computer on behalf of the calling computer. 10.The method of claim 9, where the second set of port assignments areassigned by the proxy computer.
 11. The method of claim 10, wherein thesecond set of port assignments includes a port for audio transmissionsand another port for video transmissions between the proxy computer andthe callee computer on the behalf of the calling computer.
 12. Themethod of claim 11, wherein the calling computer exchanges data with theprivate network computer via the proxy computer using the first set ofports assigned by the calling computer, and the proxy computer forwardsthe data to the private network computer using the second set of portsassigned by the proxy computer.
 13. The method of claim 5, wherein theproxy computer sends the second call control message to the calleecomputer on behalf of the calling computer.
 14. The method of claim 5,wherein the first and second call control messages are open logicalchannel messages for opening logical channels between the callingcomputer and the proxy computer and between the callee computer and theproxy computer, respectively.
 15. The method of claim 14, wherein theopen logical channel messages are structured in accordance with theH.245 protocol.
 16. A method of registering with a directory service,the method comprising: receiving a message comprising an alias foridentifying a callee computer; registering the alias corresponding tothe callee computer with the directory service; and associating aninternet protocol (IP) address of a proxy computer with the alias. 17.The method of claim 16, further comprising creating an entry for thealias associated with the IP address of the proxy computer.
 18. Themethod of claim 16, wherein the alias is an email alias.
 19. A systemfor facilitating the proxying of telephony messages, the systemcomprising: means for associating an internet protocol (IP) address of aproxy computer with an alias; means for registering the alias with adirectory service, wherein the alias corresponds to a callee computer;means for initiating a request to the callee computer using the alias;means for submitting the request to the directory service; means formatching the alias in a directory and returning the IP address that islisted for the alias, which is the public network address of the proxycomputer; means for receiving a first call control message from acalling computer of a public network; means for generating a second callcontrol message; and means for sending the second call control messageto the callee computer.
 20. The system of claim 19, wherein the firstcall control message comprises the public network address of the proxycomputer and a first set of port assignments for media communicationbetween the proxy computer and the calling computer on behalf of thecallee computer.
 21. The system of claim 20, wherein the second callcontrol message comprises a private network address of the calleecomputer and a second set of port assignments for media communicationbetween the proxy computer and the callee computer on behalf of thecalling computer.